Page 1 of 1
Filter not allowing VPN (PPTP) access?
Posted: Tue May 03, 2011 8:49 pm
by GlueGuy
I've got a new RouterOS installation, using my default filter settings that is not allowing VPN access. I set up a filter rule (# 6 below) on the input chain to allow access through the PPTP port (1723), but it's not triggering. Instead it's falling through to the "drop everything else" rule.
If I disable the "drop everything else" rule, then PPTP access works.
/ip firewall filter> print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; Drop invalid connections
chain=input action=drop connection-state=invalid
1 ;;; Allow established connections
chain=input action=accept connection-state=established
2 ;;; Allow related connections
chain=input action=accept connection-state=related
3 ;;; Allow UDP
chain=input action=accept protocol=udp
4 ;;; Allow ICMP
chain=input action=accept protocol=icmp
5 ;;; Allow incoming on the BACnet port
chain=input action=accept protocol=udp in-interface=ether1 dst-port=47808
6 ;;; Allow incoming for PPTP tunnel
chain=input action=accept connection-state=new protocol=tcp dst-port=1723 connection-type=pptp
7 ;;; Allow input from the private address space
chain=input action=accept src-address-list=private
8 ;;; Log everything about to be dropped
chain=input action=log log-prefix="Drop"
9 ;;; Drop everything else
chain=input action=drop
I've tried different variations on rule #6, but nothing seems to trigger.
Anyone know what I'm missing here? ROS version is 4.17, but I also tried 3.13.
Re: Filter not allowing VPN (PPTP) access?
Posted: Tue May 03, 2011 9:06 pm
by fewi
6 ;;; Allow incoming for PPTP tunnel
chain=input action=accept connection-state=new protocol=tcp dst-port=1723 connection-type=pptp
PPTP uses two connections: tcp/1723 as a control channel, and a GRE tunnel that carries the actual data. connection-type=pptp matches GRE tunnels that the firewall previously observed being set up via tcp/1723 control channels. The control channel itself, however, will never match that. Because you're referring to this relationship in your rule it doesn't match, so the packets drop through to rules further below. Remove the connection-type=pptp from this rule. Your related rule:
2 ;;; Allow related connections
chain=input action=accept connection-state=related
will then permit the GRE tunnel.
Re: Filter not allowing VPN (PPTP) access?
Posted: Tue May 03, 2011 9:21 pm
by GlueGuy
Thanks for the very quick response. I guess I hadn't tried that variation yet. I did look at another router, where I had it working properly, and sure enough, it didn't have the PPTP conection-type modifier.
When I dropped that, it started working correctly.
Re: Filter not allowing VPN (PPTP) access?
Posted: Fri Jun 03, 2011 6:54 pm
by Evelio
Hello,
I followed the instructions and filter rules in the posts to allow VPN tru Firewall.
I am worried about too many things getting Dropped. So I am logging but disabled the dropping until answer:)
Is this Ok?
Sample drops:
11:50:23 firewall,info Drop input: in:ether1 out:(none), src-mac 00:12:1e:0c:98:02, proto TCP (SYN), 173.78.168.102:4570->
MyPublicIP:37885, len 32
11:50:23 firewall,info Drop input: in:ether1 out:(none), src-mac 00:12:1e:0c:98:02, proto TCP (SYN), 217.10.42.79:64421->MyPublicIP:35908, len 44
11:50:24 firewall,info Drop input: in:ether1 out:(none), src-mac 00:12:1e:0c:98:02, proto TCP (SYN), 203.200.217.180:61068
->MyPublicIP:35908, len 44
11:50:24 firewall,info Drop input: in:ether1 out:(none), src-mac 00:12:1e:0c:98:02, proto TCP (SYN), 173.78.168.102:4570->
MyPublicIP:37885, len 32
Re: Filter not allowing VPN (PPTP) access?
Posted: Fri Jun 03, 2011 7:04 pm
by Evelio
Hello,
I followed the instructions and filter rules in the posts to allow VPN tru Firewall.
I am worried about too many things getting Dropped. So I am logging but disabled the dropping until answer:)
Is this Ok?
Sample drops:
11:50:23 firewall,info Drop input: in:ether1 out:(none), src-mac 00:12:1e:0c:98:02, proto TCP (SYN), 173.78.168.102:4570->
MyPublicIP:37885, len 32
11:50:23 firewall,info Drop input: in:ether1 out:(none), src-mac 00:12:1e:0c:98:02, proto TCP (SYN), 217.10.42.79:64421->MyPublicIP:35908, len 44
11:50:24 firewall,info Drop input: in:ether1 out:(none), src-mac 00:12:1e:0c:98:02, proto TCP (SYN), 203.200.217.180:61068
->MyPublicIP:35908, len 44
11:50:24 firewall,info Drop input: in:ether1 out:(none), src-mac 00:12:1e:0c:98:02, proto TCP (SYN), 173.78.168.102:4570->
MyPublicIP:37885, len 32
Some of these drops are from Netvision Networks which is a Video conferencing or video streaming software....
Re: Filter not allowing VPN (PPTP) access?
Posted: Sat Sep 10, 2016 3:42 pm
by dcabro
Same issue here. Do not understand why the filter/firewall is dropping packets.
Here are my rules:
[java@MikroTik] /ip firewall filter> print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=input action=accept protocol=icmp in-interface=!pppoe-out1 log=no log-prefix=""
1 chain=input action=accept connection-state=established
2 chain=input action=accept connection-state=related
3 chain=input action=drop in-interface=pppoe-out1 log=yes log-prefix=""
4 chain=input action=accept protocol=tcp in-interface=pppoe-out1 dst-port=1723 log=no log-prefix=""
5 chain=input action=accept protocol=gre log=no log-prefix=""
However, log shows:
14:40:55 firewall,info input: in:pppoe-out1 out:(none), src-mac e4:8d:8c:2c:88:33, proto TCP (SYN), masked.source.ip:44799->masked.dest.ip:1723, len 60
Re: Filter not allowing VPN (PPTP) access?
Posted: Tue Sep 13, 2016 10:30 pm
by dcabro
Anyone?
Re: Filter not allowing VPN (PPTP) access?
Posted: Wed Sep 14, 2016 1:17 am
by 2frogs
Accept before you drop! You need to reorder your rules so your drop is at the bottom.
And please, in the future, create a new post instead of posting on an old one.